Staff Picks for Splunk Security Reading March 2019

Howdy, folks!

A new month, so a new list of staff picks for Splunk security reading! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes... they get lost! So as we promised in early 2018, we're bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read.

For more reading, check out our monthly staff security picks and our all-time best picks for security books and articles! I hope you enjoy.


Ryan Kovar

4+ years

Breaking Intrusion Kill Chains with AWS by Tim Rains, Dave Walker, and Enrico Massi

Anyone who talks to me long enough will find out that I have a massive crush on the Lockheed Martin Cyber Kill Chain white paper. It doesn't apply to every organization (and is often abused by marketing departments) but if you read the actual Lockheed whitepaper, you'll have an invaluable security model to apply to your brick and mortar defenses! One of the major criticisms of the LM Kill Chain is that it is difficult to apply to cloud infrastructure. Imagine my pleasant surprise when I saw this white paper released by security architects at Amazon! It goes over each phase of the kill chain, how it applies to AWS cloud, and then the technologies that will give you visibility into that section of your defenses. I especially liked the end where the authors discuss the AWS Cloud Adoption Framework (AWS CAF). This framework is a best practice approach to review your cloud adoption and apply security controls appropriately. For those of you (or preferably all of us) who are struggling with adopting security in the Amazon cloud, this is a great document to start!

John Stoner

4+ years

Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers by Kim Zetter

This supply chain attack placed a piece of malware—signed by ASUS—onto their update servers and Kaspersky estimates that at least 500K Windows system have downloaded and installed this backdoor. This obviously isn't good, but there are some interesting twists to this attack, one of which is that the code that Kaspersky examined contained 600 hardcoded MD5 hashed MAC addresses. So while over half a million systems might be carrying this software, only a tiny percentage were targeted and would attempt to call back to the C2 server. The C2 site was taken off-line in November 2018 before the attack was identified, so access to the second stage and specific victims is currently not available to the researchers. Kaspersky has hypothesized that there may be some linkage of this incident that they call ShadowHamnmer to the Shadowpad incident that Microsoft identified as the APT group Barium in US court documents. However, there is no additional information in the Kaspersky blog post at this time to support that statement. A broader report is planned to be released in the next month. Resources are becoming available from many AV vendors so if you use ASUS for updates; you should check to see if you have been impacted.

Derek King

2ish years

Ransomware Forces Two Chemical Companies to Order 'Hundreds of New Computers by Lorenzo Franceschi-Bicchierai

With the exception of tweeting the excellent staff picks each month, I'm not known for posting lots on Twitter. But I do love to stalk...erm, follow fellow security researchers and contributors alike. @badthingsdaily are always up there to read. Tabletop exercises for you to use as the impetus for security-related discussions and potential for change in your environment. In the words of the author, they post "fictional, or headline inspired scenarios." I can't help but wonder whether the two American chemical companies shut down due to LockerGoga ransomware this week could have benefitted from some of the @badthingsdaily goodness!

Ian Forrest

1ish years

These Cookie Warning Shenanigans Have Got to Stop by Troy Hunt

First, I'll say it's nice to be in such prestigious company with my esteemed colleagues. This month I've selected an article from the recent inductee Infosecurity Hall of Fame, Troy Hunt (congratulations, Troy). The article's about those (absolutely ridiculous) "cookie-walls" that we now get the pleasure of experiencing on almost every website we want to visit. I originally clicked on it because I thought it would just be a rant about how dumb they are, and I like when smart people agree with my opinion. 🙂 Don't get me wrong, it's definitely got some ranting in it and even some *gulp* swear words (children, cover your eyes). But it also has some other interesting nuggets, the first being a link to an article on the Dutch DPA's statement that cookie-walls don't comply with GDPR because a decision has to be offered freely—the argument being that if you say "comply or deny," it's not free will. The next nugget is a link to a website called, which analyzes your browser fingerprint to see if you can indeed be tracked. As it turns out, I can! On the one hand, yikes; on the other hand, it finally proves to my wife what I've been saying all along—I'm one-of-a-kind baby! Lastly (and the argument that I can't get out of my head), is what Troy has to say about how these cookie walls are desensitizing users to legitimate security warnings and, even worse, malware. When the average user is "conditioned" to just say "yes," we are in for a world of trouble. I don't want to even think about the phone calls I'm gonna get from my mom. For all you Splunkers out there, now would be a good time to make sure you've got some good endpoint data.

Joel Ebrahimi

Donnie Wahlberg

Update ColdFusion Now, Critical Zero-Day Bug Exploited in the Wild by Ionut Ilascu

It comes as no surprise to see yet another critical vulnerability in Adobe ColdFusion. The web application server has been plagued with vulnerabilities ever since its inception. The current CVE count is 94 with so many of these critical vulnerabilities (CVE list) and this time, it's no exception. The current vulnerability allows for executable code to be uploaded to a web directory and then through an HTTP request that code can be executed. Remote code execution is the generally the worst type of vulnerability, at least the privilege will be contained to the ColdFusion service user, and hopefully, this is not root! Charlie Arehart, a ColdFusion programmer, was credited with discovering this due to it affecting one of his systems. Which means there is already exploit code being used for this out in the wild. What is surprising (at least to me) is to see a large number of ColdFusion servers still being used today. This exploit affected all versions of the server so if are one of the 3+ million using ColdFusion make sure you are patched.

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Show All Tags
Show Less Tags